fbpx
TCM Security is offering free Active Directory Health Checks to any company with 10 or more employees. To inquire, please contact us here.

Overview

Organizations handling credit card data must adhere to the Payment Card Industry Data Security Standard (PCI DSS). Understanding the specifications and what an organization must do specifically to comply with the standard might be challenging. This article will focus on which requirements of the PCI DSS’s criteria require security testing. The Self-Assessment Questionnaire (SAQ), which is frequently where queries regarding the requirements occur, will also be the focus of the article.

Depending on the kind of SAQ a company is finishing, different SAQs have different requirements for security testing.
It is not necessary to perform penetration testing for SAQs A, B, B-IP, C-VT, and P2PE.

However, some security testing is necessary for SAQs A-EP, C, and D.

SAQ A-EP

This SAQ is employed by online retailers whose websites do not collect cardholder data but have an impact on the security of payment transactions.  Requirements include:

  • External Vulnerability Scans (11.2), which must be performed quarterly and after any significant architectural changes by an approved scanning vendor (ASV)
  • External Penetration Testing (11.3.1), which must be performed yearly and after any significant architectural changes by an independent and qualified internal resource or a qualified third-party
  • Internal Segmentation Validation Testing (11.3.4), which must be performed every six months and after any significant architectural changes are made

SAQ C

This SAQ is used by merchants who do not keep cardholder data on any computer systems and process cardholder data via a point-of-sale system or other payment application system connected to the Internet.  Requirements include:

  • External vulnerability scans (11.2) must be performed quarterly and after any significant architectural changes by an approved scanning vendor (ASV)
  • Internal vulnerability scans (11.2) must be performed quarterly and after any significant architectural changes by a qualified internal resource or independent third-party
  • Internal segmentation testing (11.3.4) must be performed every six months and after any significant architectural changes.

SAQ D

Organizations that don’t meet the requirements of the other SAQs or that electronically store cardholder data use this SAQ.  Requirements include:

  • External vulnerability scans (11.2) must be performed quarterly and after any significant architectural changes by an approved scanning vendor (ASV)
  • Internal vulnerability scans (11.2) must be performed quarterly and after any significant architectural changes by a qualified internal resource or independent third-party
  • External Penetration Testing (11.3.1), which must be performed yearly and after any significant architectural changes by an independent and qualified internal resource or a qualified third-party
  • Internal Penetration Testing (11.3.1), which must be performed yearly and after any significant architectural changes by an independent and qualified internal resource or a qualified third-party
  • Internal segmentation testing (11.3.4) must be performed every six months and after any significant architectural changes.

It’s important to note that the above information is not a comprehensive list of all the testing requirements outlined in the PCI DSS. It is also important to consult the official PCI DSS documentation to ensure compliance with all the requirements.

If you are in need of a PCI-DSS assessment, please use the form below to contact us.